The bug hunter Bhavuk Jain received an award of $100,000 by Apple, as part of its bug bounty program, for reporting a severe vulnerability that could allow the takeover of third-party user accounts.
The vulnerability was affecting the Apple ‘Sign in with Apple‘ system, it could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ machanism.
Sign in with Apple allows users to sign in to their apps and websites using their Apple ID. Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use Sign in with Apple to set up an account and start using your app right away. The accounts are protected with two-factor authentication, and Apple does not track users’ activity in their app or website.
Bhavuk Jain discovered how to bypass authentication mechanisms and access to third-party user accounts by using the target’s email ID.
The expert explained that the vulnerability affects how client-side user validation requests are handled.
The Sign in with Apple could authenticate a user via a JSON Web Token (JWT) or a code generated by a server.
“The Sign in with Apple works similarly to OAuth 2.0. There are two possible ways to authenticate a user by either using a JWT (JSON Web Token) or a code generated by the Apple server. The code is then used to generate a JWT. The below diagram represents how the JWT creation and validation works.” reads the post published by the expert.
Apple allows users to choose if they want to share the Apple Email ID with the 3rd party app or not. In case the user opts to hide the email ID, Apple generates a JWT token containing it which is then used by the third-party service to authenticate a user.
Jain discovered that is was possible to request a JWT token for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they are considered as validation.
“I found I could request JWTs for any email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid,” Jain continues . “This means an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account.”
Due to this validation issue, any third-party service using Sign in with Apple could have been vulnerable to account hijacking attacks.
“The impact of this vulnerability was quite critical as it could have allowed a full account takeover. Many developers have integrated Sign in with Apple since it is mandatory for applications that support other social logins.” states the expert.
Many popular applications support the Sign in with Apple feature, including Dropbox, Spotify, Airbnb, and Giphy, that could have been vulnerable to a full account takeover if there were leveraging only on the security measures implemented by Apple.
iCloud accounts could have been hacked exploiting this issue too.
The good news is that Apple is not aware of attacks that exploited the flaw in the wild.
Apple has already addressed the flaw.
(SecurityAffairs – Apple, cybersecurity)